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1. We realize the generalization of the results of the article [8] from symplectic geometry to 
pseudo-symplectic geometry over Finite Fields. 

2. Theorem 3.7 ^ ^ 

P &' L] = _( B -/)(v-r) + ( M .+ l)' Ps [i ' L] = 7^i 

H H 

respectively, where i £ L. 

3. From above we see, substitution attack from Ri on a receiver gets to the maximum when 
l = r-l. 
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§1 Introduction 
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\& ' Multi -receiver authentication codes (MRA-codes) are introduced by Desmedt, Frankel, and Yung 

(DFY) [11 as an extension of Simmons' model of unconditionally secure authentication. In an MRA- 
codes, a sender wants to authenticate a message for a group of receivers such that each receiver can 
CNj . verify authenticity of the received message. There are three phases in an MRA-codes: 

1 . Key distribution. The KDC (key distribution centre) privately transmits the key information 
to the sender and each receiver (the sender can also be the KDC). 

2. Broadcast. For a source state, the sender generates the authenticated message using his/her 
key and broadcasts the authenticated message. 

3. Verification. Each user can verify the authenticity of the broadcast message. 

Denote by X\ x ■ • • x X„ the direct product of sets X\, ■ • ■ ,X„, and by pi the projection mapping 
of X\ x • • • x X„ on X,. That is, p, : X\ X • • • X X„ —> X, defined by Pi(x\,X2, •■• , x„) = x,-. Let 
gi : X\ — > Y\ and g2 : X2 — > Y2 be two mappings, we denote the direct product of gi and g2 by 
gi x g 2 , where g x x g 2 : X x x X 2 -> Y\ x Y 2 is defined by (gi x g2)(xi,x 2 ) = (gi(Xi),g2(x 2 )). The 
identity mapping on a set X is denoted by lx- 

Let C = (S,M,E,f) and C, = (S, M u Ei,fi),i = 1,2 n, be authentication codes. We call 

(C; C\, C2, C„) a multi-receiver authentication code (MRA-code) if there exist two mappings 
t : E — > Ei X • • -xE„ and n : M — > Mj x • • • x Mn such that for any (s, e) e S x E and any 1 < i < n, 
the following identity holds 

Pi{nf{s, e)) = fids X Pi T{s,e)). 
Let Ti = piT and 7r, = pin. Then we have for each (s, e) e S x E 

7Tif(s,e) = fi(l s XTi)(s,e). 
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We adopt Kerckhoff 's principle that everything in the system except the actual keys of the sender 
and receivers is public. This includes the probability distribution of the source states and the sender's 
keys. 

Attackers could be outsiders who do not have access to any key information, or insiders who 
have some key information. We only need to consider the latter group as it is at least as powerful as 
the former. We consider the systems that protect against the coalition of groups of up to a maximum 
size of receivers, and we study impersonation and substitution attacks. 

Assume there are n receivers R\,--,R n . Let L = ,k) Q {1, • • • ,n),R L = {/?,-,,- • • ,/?,,} and 

E L = E Rii x • • • x E R . We consider the attack from R L on a receiver /?,, where i £ L. 

Impersonation attack: Ri, after receiving their secret keys, send a message m to /?,-. Rl is 
successful if m is accepted by Ri as authentic. We denote by Pi[i, L] the success probability of Rl in 
performing an impersonation attack on /?,-. This can be expressed as 

Pi[i, L] = max maxP(m is accepted by Ri\ei) 

where i £ L. 

S ubstitution attack: Rl, after observing a message m that is transmitted by the sender, replace m 
with another message m' . Rl is successful if m' is accepted by Ri as authentic. We denote by Ps [i, L] 
the success probability of Rl in performing a substitution attack on /?, . We have 
Ps [i, L] = max max max P(Ri accepts m'\m, ei) 

ei^Ei meM m'i^meM 

where i £ L. 



§2 Pseudo-Symplectic Geometry 



Let F q be the finite field with q elements, where q is a power of 2, n = 2v + 6 and 6-1,2. Let 

( K 



K 



/ (v) 

/(v) o 



K 



1 



1 

1 1 



and Ss is an (2v + 6) x (2v + 6) non-alternate symmetric matrix. 

The pseudo-symplectic group of degree (2v + 6) over F q is defined to be the set of matrices 
Ps2v + s(F q ) = {T\TS 6 'T = S 6 ] denoted by Ps 2v+s {F q ). 



Let F q 2v+6) be the (2v + 8) -dimensional row vector space over F q . Ps2 Y +s(F q ) has an action on 



F (2v+S) defined as follows 



The vector space Ff v+S) together with this group action is called the pseudo-symplectic space over 
the finite field F q of characteristic 2. 

Let P be an m-dimensional subspace of F q 2v+S \ then PSg 'P is cogredient to one of the following 
three normal forms 



M(m,2s,s)= I (s) 

Q(m-2.s) 



Ff v+ *xPs 2v+ 6(F q )^Ff v+5 > 
((xi, x 2 , x 2v + s ), T) -> (xi,x 2 , . . . , x 2v+s )T. 



M(m, 2s +1, s) 











Q(m-2.!-l) 
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M(m, 2s + 2, s) 













1 



Q(m-2j-2) 



for some 5 such that < s < [m/2]. We say that P is a subspace of type (m, 2s + r, s, e), where t 
=0,1 or 2 and e =0 or 1, if 

(i) PS<5 f f is cogredient to M(m, 2s + r, s), and 

(ii) e2v+i £ P or e2v+i e P according to e = or e = 1, respectively. 

Let P be an m-dimensional subspace of Ff v+S) . Denote by P^ the set of vectors which are 
orthogonal to every vector of P, i.e., 

P ± = {ye Ff v+S) \yS s 'x = Ofor allx e P). 
Obviously, P 1 - is a (2v + 6 - m)-dimensional subspace of Ff v+S \ 

More properties of pseudo-symplectic geometry over finite fields can be found in [2]. 

In [3], Desmedt, Frankel and Yung gave two constructions for MRA-codes based on polynomials 
and finite geometries, respectively. There are other constructions of multi-receiver authentication 
codes are given in [4-7]. The construction of authentication codes is combinational design in 
its nature. We know that the geometry of classical groups over finite fields, including symplectic 
geometry, pseudo-symplectic geometry, unitary geometry and orthogonal geometry can provide a 
better combination of structure and easy to count. In this paper we constructed one multi-receiver 
authentication codes from pseudo-symplectic geometry over finite fields. The parameters and the 
probabilities of deceptions of this codes are also computed. We realize the generalization of the 
results of the article [8] from symplectic geometry to pseudo-symplectic geometry over Finite Fields. 



§3 Construction 

Let F 9 be a finite field with q elements and e,(l < ;' < 2v + 2) be the row vector in F^ 2v+2) 
whose z'-th coordinate is 1 and all other coordinates are 0. Assume that 2 < « + 1 < r < v. 
U = (e\, e2, ■ ■ ■ , e n ), i.e., t/ is an n-dimensional subspace of F^ 2v+2) generated by e\, e-i, e n , then 
U 1 - = {e\, ■ ■ ■ ,e Y , e v+n+ i, • • • ,e2v+2>- The set of source states S ={s\s is a subspace of type (2r - n + 
l,2(r-n), r-n, l)and U c s c U ± }; the set of transmitter's encoding rules E T -{e T \e T is a subspace 
of type (2«, 2n, n, 0) and U cej-j; the set of i-th receiver's decoding rules E^-ie^e^ is a subspace 
of type (n+1,0, 0,0) which is orthogonal to (e\, ■ ■ ■ , e,+i, • • • , e n )}, 1 < i < n; the set of messages 
M = {m\m is a subspace of type (2r + 1, 2r, r, 1) and U c m\. 

1. Key Distribution. The KDC randomly chooses a subspace ej e Ej, then privately sends ej to 
the sender T. Then KDC randomly chooses a subspace e R . e E R . and e R . c e T , then privately sends 
e Ri to the i - th receiver, where 1 < i < n. 

2. Broadcast. For a source state s e S , the sender calculates m = s + e T and broadcast m. 

3. Verification. Since the receiver R t holds the decoding rule e Rl , R t accepts m as authentic if 
e Rj c m. Ri can get s from s - mC\ U^. 

Lemma 3.1 The above construction of multi-receiver authentication codes is reasonable, that is 

(1) s + e T = m e M, for all s e S and e T e E T ; 

(2) for any m e M, s = m n is the uniquely source state contained in m and there is e T e E T , 
such that m-s + e T . 
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Proof. (1) For any s e S, ej e Ej, Because s is a subspace of type (2r - n,2(r — ri),r - 
n, 1) and f/csc U ± ], we can assume that 

( U \ „ 
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<?2v+i ) l 



and 



( u ] 


i 


' u ) 


Q 




Q 


, e 2v+l , 




k e 2v+l j 



o (M) o o o ^ 

o o i (r - n) o 

o i {r - n) o o 

I o o o o ) 



ej 



and 



U 
V 



\s 2 



Si 



I {n) 

Jin) o 



Obviously, for any v eV and v ^ 0,v £ s, therefore, 



m = s + er 



U \ 
V 

Q 



and 

/ (n) ^ 
I (n) 

ooo i (r - n) 
o o / (r - n) 

j 

From above, m is a subspace of type (2r + 1, 2r, r, 1) and U c m, i.e., me M. 

(2) For m e M, m is a subspace of type (2r + 1, 2r, r, 1) and U c m, so there is a subspace 
V c m, satisfying 
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Let 



s = 



U 

Q 

e2v+i 



For s is a subspace of type (2r-n + \,2{r-n),r — n, 1) and U c s c {/-"-, i.e., s e S is a source state. 

' U ^ 

For any v e V and v # 0,v £ s is obvious, i.e., V (~) U ± = {0}. Therefore, mflf/ 1 = 2 

, <?2v+l 

Let e r = ^ ^ j, then e r is a transmitter's encoding rule and satisfying m = s + e T . 

If s' is another source state contained in m, then {/ c *' c t/ 1 . Therefore, s' <z m(MJ^ - s, while 
dim/=dims, so s'=s, i.e., s is the uniquely source state contained in m. 

From Lemma 3. 1, we know that such construction of multi-receiver authentication codes is rea- 
sonable and there are n receivers in this system. Next we compute the parameters of this codes. 

Lemma 3.2 The parameters of this construction are 

|S| = AT(2(r- n),2(r-n), r-n, 0;2v + 2); \E T \ = q n{v -" +l) ; \E Ri \ = q y -" + \ 

Proof. Since [/esc U^, s has the form as follows 

' I (n) 1 

s= B 2 B 4 

1 0, 

where B 2 , B4 is a subspace of type (2(r-n), 2(r-n), r-n, 0) in the pseudo-symplectic space F 9 (2v+2) . 
So |S I = N(2(r - n), 2(r - n\ r - n, 0; 2v + 2). 

Since e r is a subspace of type (2n, 2n, n, 0), e T has the form as follows 

7 (M) \ 
*5 R 6 j ' 







/? 2 #4 ^5 

n v— n n v-n 1 1 

For e T is a subspace of type (2n, 2n, n, 0), so R4 = and /?6 : 

|£ r | = «7»(v-»+l). 



0, R2,Rs arbitrarily. Therefore 



For any e is a subspace of type (n+1,0, 0,0) which is orthogonal to (e\, ■ ■ ■ , e,_i, e i+1 

1 < ; < n. So we can assume that 

' / w 000 0000 ^ 
e s . = / (n -° 000 0000 

1 H' % H' 9 H' K , 

/ «-/ v-n / /-/-l 1 «-/ v-/i 1 1 

Since e Rj is a subspace of type (n + 1, 0, 0, 0), so H' s = and 7/| = 0, H3, H' 9 arbitrarily. Therefore, 

I/-A- -<r" - 

Lemma 3.3 (1) The number of e T contained in m is ^"( r -"+ 1 ); 

(2) The number of the messages is \M\ = q 2n( - v - r+l) N(2(r - n), 2(r - n), r - n, l;2v + 2). 
Proof. Let m be a message, from the definition of m, we may take m as follows 
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if ej c m, then we can assume that 




7 (n) \ 
R 2 7 (n) R 7 j 



« r— w v-r n r— n v— r 1 1 

where R2 and 7? 7 is arbitrarily. Therefore the number of e T which contained m is q m 



(2) We know that a message contains only one source state and the number of the transmitter's 
encoding rules contained in a message is q"( r - n+l \ Therefore we have \M\ = \S\\E T \lq n(r ~ n+r> = 
qn{v-r) N( 2( r - n), 2(r -n),r- n, 0; 2v + 2) 



Assume there are n receivers R\ 



,R n . LetL 



£ {!,•■•, n},R L = [R u 



,Ri,} and 



Ei = Er h x • • • x Er.^. We consider the impersonation attack and substitution attack from Ri on a 
receiver 7?,, where i t L. 

Without loss of generality, we can assume that Rl = {Ri, ■ ■ ■ ,R[], Ei = E Rl x • • • x E Rl , where 
1 < / < n — 1. First, we will proof the following results: 

Lemma 3.4 For any e L = (e Rl , • • • , e Rl ) € E L , the number of ej containing e L is )(«-') 

Proof. For any e L = (e Rl , • • • , e Rl ) e E L , we can assume that 
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Therefore, ej containing ei has the form as follows 












' 7® 000 











^ 




7 ( "- /) 














ej — 


7? 3 7® 















v 77 3 


j(n-l) 





77 7 


J 




/ n-l v-n I 


n-l 


v-n 


1 


1 



where 77 3 , 77 7 arbitrarily. Therefore, the number of ej containing e L is ^( v -«+ !)("-') 
Lemma 3.5 For any me M and e L , e Rj c m, 

(1) the number of ej contained in m and containing ei is ^( r -n +1 )(n-0 • 

(2) the number of ej contained in m and containing ei, e Rj is g("+ 1 X | "-»+ 1 ) i 
Proof. (1) From the definition of m, we may take m as follows 
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If e L c m, then e L has the form as follows: 
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If ej c m and ej D e^, then 
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where H 3 and Hg arbitrarily. Therefore, the number of e T which contained in m and containing e L is 

q(r-n+ 1 )(«-/) _ 

(2) Similarly, by computation, we can proof that the number of e T contained in m and containing 
e L , e Rj has the following the form 
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where R'^,R' 9 ' and R'^',R 9 ' arbitrarily. Therefore, the number of ej contained in m and containing 

e L ,e Ri . i s 9 («-'-i)('-n+i). 

Lemma 3.6 Assume that m\ and mi are two distinct messages which commonly contain a trans- 
mitter's encoding rule e T . s\ and 52 contained in m\ and mi are two source states, respectively. 
Assume that sq = si n ^2, dim so = k, then n < k < 2r - n. For any e^, e Ri c m\ n OT2, the number of 
er contained in mi n ni2 and containing e^,, e Rj is q k( - n ~ l ~ l \ 

Proof. Since mi = si + ej,ni2 = S2 + e T and mi # m2, then s\ + si- For any s e S, 
U e i,Obviously, n < k <2r - n. Assume that s| is the complementary subspace of so m tne s i, then 
Si = so + s' { (i = 1,2). From m; = s,- + ej — sq + s' { + ej, we have m\ n OT2 = ■so + er- 

From the definition of the message, we may take m,, z = 1, 2 as follows 



( 7 W 


























1 


1 





j(n-l) 


























n-l 








A 3 























r-n 














/(0 

















I 

















j(n-l) 














n-l 




















j(r-n) 











r-n 


I 























1 


J 


1 




n-l 


r-n 


v-r 


/ 


n-l 


r-n 


v-r 


1 


1 





Xiuli Wang 



8 



Let 
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From above we know that m\ n ni2 = so + e T , then dim(m\ n mi) -k + 2n-n = k + n, therefore, 

k + n - (2n + r — n) = k — r. 
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c mi n m2 and containing e £ , e s ., so has the form as follows 
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where every row of 



R'{ R[\ 
R';' R'([ 



is the linear combination of the base of 



Pi 
1 



So it is easy to know that the number of e T c m\ n mi and containing e L , e R . is q {k r)( " ' [) . 
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Theorem 3.7 In the constructed multi-receiver authentication codes, the largest probabilities of 
success for impersonation attack and substitution attack from Rl on a receiver Ri are 

P M> L] = („-/)(v- r ) +(r -„ + i)' p s L] = ^ 

respectively, where i £ L. 

Proof. Impersonation attack: Rl, after receiving their secret keys, send a message m to 7? L 
is successful if m is accepted by as authentic. Therefore 



Pi[i,L] = max 

q 



' max | [e T e E T \ej c m and e r D e L , e^] 

meM 

e^Si 1 | {e T G £rkr 3 <?zj I 

(n-/-l)(r- B +l) 



^(v-b+1)(b-/) 



^(B-/)(v-r)+(r-n+l) ' 

5 ubstitution attack: R L , after observing a message m that is transmitted by the sender, replace m 
with another message m' . Rl is successful if m' is accepted by as authentic. Therefore 



Ps [i, L] = max max 

M 

q 



' max | {eT € Erler c m, m' and ej D e/,, | N 

m'eM 

c2e£i S | | {e T £ £r|e r C m and e r D e L } | 

,(t-r)(n-/-l) 



max 



n<k<2r-n q(n-l)(r-n+l) 
1 

From above we see, substitution attack from R L on a receiver gets to the maximum when I = r- \. 



References 



[1] Safavi-Naini R, Wang H. Multi-receiver Authentication Codes:Models, Bounds, Constructions 
and Extensions, Information and Computation, 151(1): 148-172, 1999 

[2] WAN Zhexian. Geometry of Classical Groups over Finite Fields (2nd Edition) , Science Press, 
Beijing/New York, 2002 

[3] Y. Desmedt, Y. Frankel and M. Yung, Multer-receiver/Multi-sender network security: efficient 
authenticated multicast/feedback, IEEE Infocom'92 : 2045-2054, 1992 

[4] G.J.Simmons. Message authentication with arbitration of transmitter/receiver disputes, Proc. 
Eurcrypt 87. Lecture Notes in Computer Science, 304:151-165, 1985 

[5] Safavi-Naini R, Wang Huaxiong. New results on multi-receiver authentication/codes, Lecture 
Notes in computer science, 1403:527-541, 1998 

[6] Satoshi Obana and Kaoru Kurosawa. Bounds and combinatorial structure of (k,n) multi-receiver 
A-Codes, Designs, codes and cryptography, 22:47-63, 2001 

[7] Li Xiyang, Qin Cong. New Constructions of Multi-receiver Authentication Codes, Calculator 
Engineering, 34(15):138-175, 2008 

[8] Chen Shangdi, Zhao Dawei. Two Constructions of Multireceiver Authentication Codes from 
Symplectic Geometry over Finite Fields.Ara Combinatoria, XCIX, April: 193-203, 201 1 



